Microsoft has partnered with a broad range of computer several security and Internet governance organizations to offer a $250,000 bounty for information that leads to the arrest and conviction of the creator(s) of the Conficker/Downadup worm. The reward is available to residents of any country—at least so far as countries laws permit; Microsoft’s partners in the effort include ICANN, DNS developers, and leading computer security firms. Microsoft is categorizing the Conficker worm as a criminal attack, and sees the $250,000 bounty as a way to put more pressure on online fraudsters and cybercriminals.
“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” said the general manager of Microsoft’s Trustworthy Computing Group, George Stathakopoulos, in a statement. “By combining our expertise with that of the broader community we can expand the boundaries of defense to better protect people worldwide.”
The Conficker/Downadup worm first appeared in October 2008 and spreads using a known buffer overflow vulnerability in Windows. Once executed, the worm disables Windows Update and security utilities, and attaches itself to common processes like Internet Explorer and svchost.exe. Once running, the worm contacts a master server for additional payloads, which can include additional malware; part of Conficker’s insidiousness is that it “phones home” to a list of 250 different domains every day, making it difficult for security firms to locate and pre-empt the master server controlling compromised machines. While the worm’s domain selection process has been cracked and patches and utilities are available to keep it from successfully downloading additional payloads, the worm has still infected an estimated 9 million computers.
ICANN, Neustar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, Shadowserver Foundation, Arbor Networks, and Support Intelligence have partnered with Microsoft on the bounty program.
Microsoft has posted a security bulletin detailing how to disable and remove the worm from infected systems.